Critical Infrastructure Protection Reliability Standard CIP-015-1-Cyber Security-Internal Network Security Monitoring

<RULE> DEPARTMENT OF ENERGY <SUBAGY>Federal Energy Regulatory Commission</SUBAGY> <CFR>18 CFR Part 40</CFR> <DEPDOC>[Docket No. RM24-7-000; Order No. 907]</DEPDOC> <SUBJECT>Critical Infrastructure Protection Reliability Standard CIP-015-1—Cyber Security—Internal Network Security Monitoring</SUBJECT> <HD SOURCE="HED">AGENCY:</HD> Federal Energy Regulatory Commission, DOE. <HD SOURCE="HED">ACTION:</HD> Final action. <SUM> <HD SOURCE="HED">SUMMARY:</HD> The Federal Energy Regulatory Commission (Commission) approves proposed Reliability Standard CIP-015-1 (Cyber Security—Internal Network Security Monitoring), which the North American Electric Reliability Corporation (NERC), submitted in response to a Commission directive. In addition, the Commission directs NERC to develop certain modifications to proposed Reliability Standard CIP-015-1 to extend internal network security monitoring to include electronic access control or monitoring systems and physical access control systems outside of the electronic security perimeter. The Commission also provides greater clarity about the term CIP-networked environment as it is used in proposed Reliability Standard CIP-015-1. </SUM> <EFFDATE> <HD SOURCE="HED">DATES:</HD> This action is effective September 2, 2025. </EFFDATE> <FURINF> <HD SOURCE="HED">FOR FURTHER INFORMATION CONTACT:</HD> <FP SOURCE="FP-1"> Margaret Steiner (Technical Information), Office of Electric Reliability, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502-6704. <E T="03">Margaret.Steiner@ferc.gov</E> </FP> <FP SOURCE="FP-1"> Hampden T. Macbeth (Legal Information), Office of General Counsel, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502-8957. <E T="03">Hampden.Macbeth@ferc.gov</E> </FP> </FURINF> <SUPLINF> <HD SOURCE="HED">SUPPLEMENTARY INFORMATION:</HD> 1. Pursuant to section 215(d)(2) of the Federal Power Act (FPA), <SU>1</SU> <FTREF/> the Commission approves proposed Critical Infrastructure Protection (CIP) Reliability Standard CIP-015-1 (Cyber Security—Internal Network Security Monitoring). The North American Electric Reliability Corporation (NERC), the Commission-certified Electric Reliability Organization (ERO), submitted proposed Reliability Standard CIP-015-1 for Commission approval in response to a Commission directive in Order No. 887. <SU>2</SU> <FTREF/> In Order No. 887, the Commission directed that NERC develop new or modified CIP Reliability Standards that require internal network security monitoring (INSM)  <SU>3</SU> <FTREF/> for the CIP-networked environment for all high impact bulk electric system (BES) Cyber Systems  <SU>4</SU> <FTREF/> with and without external routable connectivity  <SU>5</SU> <FTREF/> and medium impact BES Cyber Systems with external routable connectivity. <SU>6</SU> <FTREF/> <FTNT> <SU>1</SU>  16 U.S.C. 824o(d)(2). </FTNT> <FTNT> <SU>2</SU>   <E T="03">Internal Network Sec. Monitoring for High & Medium Impact Bulk Elec. Sys. Cyber Sys.,</E> Order No. 887, 88 FR 8354 (Feb. 9, 2023), 182 FERC ¶ 61,021 (2023). </FTNT> <FTNT> <SU>3</SU>  INSM is a subset of network security monitoring that is applied within a trust zone, such as a perimeter zone with elevated credentials inside of an entity's internal network. </FTNT> <FTNT> <SU>4</SU>  NERC defines BES Cyber Systems as “One or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity.” <E T="03">See</E> NERC, <E T="03">Glossary of Terms Used in NERC Reliability Standards,</E> (February 26, 2025), <E T="03">https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf</E> (NERC Glossary). BES Cyber Systems are categorized as high, medium, or low impact depending on the functions of the assets housed within each system and the risk they potentially pose to the reliable operation of the Bulk-Power System. Reliability Standard CIP-002-1a (BES Cyber System Categorization). </FTNT> <FTNT> <SU>5</SU>  External routable connectivity is “[t]he ability to access a BES Cyber System from a Cyber Asset that is outside of its associated Electronic Security Perimeter via a bi-directional routable protocol connection.” NERC Glossary. </FTNT> <FTNT> <SU>6</SU>  Order No. 887, 182 FERC ¶ 61,021 at P 49. </FTNT> 2. Consistent with Order No. 887, Reliability Standard CIP-015-1 improves upon the currently effective CIP Reliability Standards by establishing requirements for INSM for network traffic inside an electronic security perimeter. Reliability Standard CIP-015-1 requires INSM for all high impact BES Cyber Systems with and without external routable connectivity and medium impact BES Cyber Systems with external routable connectivity to ensure the identification of anomalous network activity indicating an ongoing attack. <SU>7</SU> <FTREF/> Accordingly, the Commission approves Reliability Standard CIP-015-1 as it is largely responsive to the Commission's directives in Order No. 887 and will improve the security posture of the Bulk-Power System. We also approve the associated violation risk factors and violation severity levels, implementation plan, and effective date. <FTNT> <SU>7</SU>  NERC Petition at 1, 13. </FTNT> 3. In Order No. 887, the Commission used the term CIP-networked environment to define the “trust zone” in which INSM requirements should apply. <SU>8</SU> <FTREF/> The Commission, however, did not define the term CIP-networked environment in Order No. 887. Nor did NERC propose a definition in its petition. Rather, NERC and other commenters ask in Notice of Proposed Rulemaking (NOPR) comments that the Commission clarify the meaning of the term CIP-networked environment. <SU>9</SU> <FTREF/> <FTNT> <SU>8</SU>   <E T="03">E.g.,</E> Order No. 887, 182 FERC ¶ 61,021 at P 2. </FTNT> <FTNT> <SU>9</SU>   <E T="03">Critical Infrastructure Protection Reliability Standard CIP-015-1—Cyber Security—Internal Network Security Monitoring,</E> 89 FR 79178 (Sept. 27, 2024), 188 FERC ¶ 61,175 (2024) (NOPR). </FTNT> 4. We clarify that the term CIP-networked environment does not cover all of a responsible entity's network. The CIP-networked environment includes traffic inside an electronic security perimeter but also extends beyond the perimeter. The CIP-networked environment includes the systems within the electronic security perimeter <E T="03">and</E> network connections among and between electronic access control or monitoring systems (EACMS)  <SU>10</SU> <FTREF/> and physical access control systems (PACS)  <SU>11</SU> <FTREF/> external to the electronic security perimeter as discussed in greater detail below. <SU>12</SU> <FTREF/> It is necessary to defend against attacks external to the electronic security perimeter because they may compromise systems such as EACMS and PACS, and then infiltrate the perimeter as a trusted communication. Thus, EACMS and PACS are included in the CIP-networked environment. <FTNT> <SU>10</SU>  EACMS are “Cyber Assets that perform electronic access control or electronic access monitoring of the Electronic Security Perimeter(s) or BES Cyber Systems. This includes Intermediate Systems.” NERC Glossary. </FTNT> <FTNT> <SU>11</SU>  PACS are “Cyber Assets that control, alert, or log access to the Physical Security Perimeter(s), exclusive of locally mounted hardware or devices at the Physical Security Perimeter such as motion sensors, electronic lock control mechanisms, and badge readers.” <E T="03">Id.</E> </FTNT> <FTNT> <SU>12</SU>  When we refer to EACMS and PACS in this final rule it also includes the network segments delineated in P 43, <E T="03">infra.</E> </FTNT> 5. With this clarification, it is apparent that Reliability Standard CIP-015-1, which requires INSM only within the electronic security perimeter, is not fully compliant with the Commission's directive in Order No. 887. Therefore, pursuant to section 215(d)(5) of the FPA, <SU>13</SU> <FTREF/> we direct NERC to develop further modifications to proposed Reliability Standard CIP-015-1, within 12 months of the effective date of the final rule in this proceeding, to extend INSM to include EACMS and PACS outside of the electronic security perimeter. <FTNT> <SU>13</SU>  16 U.S.C. 824o(d)(5). </FTNT> <HD SOURCE="HD1">I. Background</HD> <HD SOURCE="HD2">A. Section 215 and Mandatory Reliability Standards</HD> 6. Section 215 of the FPA provides that the Commission may certify an ERO, the purpose of which is to develop mandatory and enforceable Reliability Standards, subject to Commission review and approval. <SU>14</SU> <FTREF/> Reliability Standards may be enforced by the ERO, subject to Commission oversight, or by the Commission independently. <SU>15</SU> <FTREF/> Pursuant to section 215 of the FPA, the Commission established a process to select and certify an ERO, <SU>16</SU> <FTREF/> and subsequently certified NERC. <SU>17</SU> <FTREF/> <FTNT> <SU>14</SU>   <E T="03">Id.</E> 824o(c). </FTNT> <FTNT> <SU>15</SU>   <E T="03">Id.</E> 824o(e). </FTNT> <FTNT> <SU>16</SU>   <E T="03">Rules Concerning Certification of the Elec. Reliability Org.; & Procs. for the Establishment, Approval, & Enf't of Elec. Reliability Standards,</E> Order No. 672, 71 FR 8662 (Feb. 17, 2006), 114 FERC ¶ 61,104, <E T="03">order on reh'g,</E> Order No. 672-A, 71 FR 19814 (Apr. 18, 2006), 114 FERC ¶ 61,328 (2006); <E T="03">see also</E> 18 CFR 39.4(b). </FTNT> <FTNT> <SU>17</SU>   <E T="03">N. Am. Elec. Reliability Corp.,</E> 116 FERC ¶ 61,062, <E T="03">order on reh'g and compliance,</E> 117 FERC ¶ 61,126 (2006), <E T="03">aff'd sub nom. Alcoa, Inc.</E> v. <E T="03">FERC,</E> 564 F.3d 1342 (D.C. Cir. 2009). </FTN ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Preview showing 10k of 80k characters. Full document text is stored and available for version comparison. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━